In a recent disclosure by our research team at Kryptowire we detailed the impact of a change to security enforcement logic in the Android OS. The change only included a few lines of code but the impact to the security of thousands of mobile devices was immense. With a code base that requires 250GB of space to download it’s not surprising that minor errors or security problems would persist, the code base is simply too large to ensure full coverage during manual reviews and change impact assessments. In this case, even Google’s own product team seemed not be aware of the key app protection change that caused several vulnerabilities on their own Pixel devices. How could third party vendors like Nokia, Xiaomi, and others be expected to properly adjust their practices to fit the new protection scheme if Google’s own teams could not?
It appears that this change in behavior was not communicated to vendors and app developers. Pre-installed apps developed by vendors — Google included — continued to place pre-installed apps in directories where no protection would be granted for protected broadcasts, leaving them vulnerable to spoofing.NEWS: Unprotected Broadcast Vulnerability Disclosed by Kryptowire | Kryptowire
The answer is inclusion of effective automated security testing in development and deployment of devices and apps. Kryptowire’s research team applied our automated testing tools to the firmware of the affected devices and was able to quickly identify the vulnerabilities described in the disclosure. As the complexity and size of modern mobile code bases continues to grow inclusion of automated security testing tools will need to grow as well, even for the most experienced companies in the industry.